[thelist] session and/or cookie persistence across an ssl and non-ssl connection
Chris Blessing
webguy at mail.rit.edu
Thu Jan 17 16:41:19 CST 2002
Scott-
Let me rephrase that. I do know how to install a cert, and I know how to
configure a website for the cert. My question is this: is the only way
around having 2 separate sites, to invoke SSL (but not *require* it) on the
main non-ssl site, and then use ssl when necessary for certain pages and
directories?
A scenario might be this:
User goes to http://foo.com/blah.html
User clicks on "order" button
User goes to https://foo.com/order/blah.asp
But with this setup, the user could effectively browse the entire website
using SSL, which from a performance and usability standpoint is not that
great of an idea (especially to our server admins).
Am I screwed or am I screwed? =)
Chris Blessing
webguy at mail.rit.edu
http://www.330i.net
-----Original Message-----
From: thelist-admin at lists.evolt.org
[mailto:thelist-admin at lists.evolt.org]On Behalf Of Scott Dexter
Sent: Thursday, January 17, 2002 5:19 PM
To: thelist at lists.evolt.org
Subject: RE: [thelist] session and/or cookie persistence across an ssl
and non-ssl connection
>
> I will have to do some testing I suppose. The problem may be
> that the ssl
> and non-ssl sites are both separate "applications" as far as IIS is
That is exactly the problem. --And going to be very difficult to get
around (if at all) and still use the same Session ids (I mean, if it
were easy or possible, it would be a *huge* security hole)
Can you make them one application?
sgd
--
For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to:
http://lists.evolt.org Workers of the Web, evolt !
--
For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to:
http://lists.evolt.org Workers of the Web, evolt !
More information about the thelist
mailing list